Security & Compliance
DDash is a read-only monitoring overlay. It connects via API and webhooks. It does not initiate, route, record, or modify calls.
Infrastructure
Cloud Provider
AWS (US-West-2, Oregon)
Compute
AWS Lightsail, Docker Compose
Database
TimescaleDB (PostgreSQL 16)
Messaging
Redis 7.x pub/sub
Web Server
nginx with TLS termination
Frontend
React + Vite, static assets
Encryption
In Transit
TLS 1.2+ on all connections. HTTPS enforced.
At Rest
AWS volume-level encryption for all storage.
Immutable Event Architecture
Two-database isolation for integrity and non-repudiation.
Operational Database
Current agent state, active calls, live dashboard data. Read/write.
Event Archive
Append-only immutable record. INSERT-only permissions. No UPDATE/DELETE.
No service holds credentials to both databases. Isolation enforced at container and credential level.
Access Controls
Authentication
Microsoft Entra, Google, GitHub, Discord, local credentials. SAML on Enterprise tier.
Authorization
RBAC with four roles: admin, supervisor, operator, user. Least-privilege principle.
Network
AWS security groups. No public database ports. Docker containers on private network.
Data Handling
We Collect
- • Agent status events
- • Call metadata (ID, time, duration)
- • Queue metrics
- • User identifiers (name, email, extension)
We Don't Collect
- • Call audio or recordings
- • Voicemail content
- • SMS/video content
- • SSNs or financial data
Default retention: 90 days (configurable). Backups: 7-day snapshots. Breach notification: 72 hours.
Compliance Position
| Framework | Status |
|---|---|
| GDPR | SCCs, DPA (all tiers), data subject rights assistance |
| CCPA | No sale/share of personal info. Deletion within 30 days. |
| HIPAA | No PHI processed. BAA available Enterprise tier. |
| SOC 2 | On roadmap. Controls consistent with TSC. |
| PCI DSS | Not applicable — no payment card data processed. |
Legal Documents
Security questions or vulnerability reports:
security@rprtechnologies.com